The 27-year-old developer named Emotional Jain revealed in his blog post on May 30 that he discovered a bug in Apple's 'Sign in with Apple' process in April. The Sign in with Apple feature was introduced in June last year.
Apple has reportedly given an amount of $ 100,000 (about 75.3 lakh) to the Indian developer. Actually, this Indian developer is said to have found a bug in the 'Sign in with Apple' process of Apple's device, due to which Apple gave him about 75 lakh rupees. The 27-year-old developer is named Bhavishya Jain. Bhavishya had found the Zero Day bug in the 'Sign-in with Apple' process, through which hackers could access the account of Apple users signing in. The company accepted the bug, and said that it has been fixed after investigation. However, the company also said that the bug has not been exploited. What is 'Sign in with Apple'? Jain revealed in his blog post on May 30 that he discovered a bug in Apple's 'Sign in with Apple' process in April. The Sign in with Apple feature was introduced in June last year. This feature allows Apple account holders to sign in to third-party apps without sharing email IDs. It is the process of generating JSON Web Token (JWT), which contains information to identify users through a third party app. This feature was introduced for the purpose of maintaining the privacy of the user, but the Zero Day bug detected by Jain gives information about their account attack. Sign in with Apple bug According to Jain's blog post, signing in with Apple requires users to log in with their Apple account. That is the first step. In the second step, it was found that the request to move from JWT to third party app has been done by the same users, there is also no accuracy. This way the hacker can hack the user's account. Jain said that he can send JWT request through any of Apple's email IDs and when the signature of these tokens is verified using Apple's public key, it is shown valid. This means that any hacker can send a request to JWT through any email ID and can access anyone's account. Jain said that this deficiency is very serious and through this the hacker can takeover anyone's account. Through this, hackers can take personal data of users, which includes personal information such as log-ins, credentials, passwords and account details. Although most apps do not support this sign-in process, it is available on Dropbox, Giphy, Spotify, and Airbnb.
1 Comment
|
AuthorHi, I'm Elina the Author of this Blog. Stay connected with us for awesome Tech News. Read More. |